iOS密码提示已经成熟到可以滥用

Apple’s policy to repeatedly ask users for their iTunes password needlessly exposes iOS device owners to possible phishing attacks, according a mobile app developer Felix Krause.
苹果
Krause’s beef with Apple is that too often and seemingly at random times, popups deliver a dialogue box for users to enter their Apple ID. The prompts have become so routine that users enter the personal data without considering popups could be malicious, he said.
克劳斯
Related Posts
相关文章
“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” wrote Krause on Apple’s Open Radar community bug report posted Monday.
His premise is that repeated password requests could be abused by a rogue app developer that utilizes the “UIAlertController” prompt that looks exactly like Apple’s system dialog popup that requests an Apple ID or password (see below).
他的前提是重复的密码请求可能被滥用的流氓应用程序开发人员利用。
“Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks,” Krause said.
The app developer proposes several solutions. For example, when Apple requests an iTunes ID from the user it should require the user to open the iOS settings app to do so. Another solution includes requiring app dialog boxes to have a visual indicator alerting users the app is asking for the credentials and not the system.
应用程序开发人员提出了几种解决方案。例如,当苹果从用户请求iTunes ID时,它应该要求用户打开iOS设置应用程序这样做。另一种解决方案包括要求应用程序对话框有一个可视指示器,提醒用户应用程序要求的是证书而不是系统。
Krause also gripes on his personal blog that Apple should “fix the root of the problem” and that “users shouldn’t constantly be asked for their credentials.”
克劳斯还表现在他的个人博客,苹果应该

“Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password,” he said.
天威视讯:第七届董事会第十五次会议决议公告
Krause said he is unaware of any instances where this dialogue box has been abused.
克劳斯说,他不知道任何情况下,该对话框已被滥用。
If Apple doesn’t take any action, Krause suggests when users come across an iOS dialog box they should hit the Home button. If the box closes then it’s a phishing attack. “If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app,” he wrote.
如果苹果不
信息安全的重要性在政府部门,学术机构和工业领域的重要性更加突出。但不幸的是,世界范围内信息泄露的事情时有发生。去年出于某种原因英国就遭遇了几次数据泄露的事故。
Another solution is to enable two factor authentication. But even then, he cautions: “Even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.”
另一个办法是启用双因素认证。但即使如此,他警告说:
He said users should be trained not to automatically enter their credentials in Apple dialog boxes in the same way they are trained not to follow links in emails.
他说,应该训练用户不要在苹果对话框中自动输入他们的凭据,就像他们训练的那样,不要跟随电子邮件中的链接。
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text,” he wrote. “I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.”
总有人抱怨说国内的商业环境尤其是信任问题导致安全外包产业受阻,的确,要改变人们对安全就是上系统设备的错误认知需要一些时间。

猜您喜欢

中德启动信息安全认证认可合作
安全培训“超融合”彰显大安全理念
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
中元节禁忌有哪些《兵王2》统统告诉你
NAIROBIJAVAHOUSE SOUTHERNRACEHORSE
信息安全意识教育动画——我在多利宝里的钱哪儿去了?